How Recon helped me to to find a Facebook domain takeover

Heyy Everyoneee,

Hope you all are doing good.In this writeup I am going to tell you how I was able to takeover a domain which was owned by Facebook.

Short Story

After my final exams got over,I setup some goals in which fb hof was one of them.Had to go through some N/As and informative reports.But finally I did it.

Here we Go ,

So if you go to https://www.facebook.com/whitehat/info/ you will find that their acquisitions ,partnerships are also inscope of their program.You can say that everything which they own is in scope excluding few domains only.So without wasting time I started collecting the domains which are owned by Facebook.

What’s the best way to find all the domains which are owned by a particular company ?

@0xpatrik has already written an article about it https://0xpatrik.com/asset-discovery/

Before you move ahead I recommend you to read his article.

Horizontal domain correlation:

Let’s start by checking the whois result of facebook.com

Image for post
Image for post
whois facebook.com

Look at the Registrant email it’s domain@fb.com you can use this email to find all the other sites which have the same registrant email as facebook.com

For reverse WHOIS I found this site https://tools.whoisxmlapi.com/reverse-whois-search really helpful. Or else you can use https://viewdns.info but there the results are limited and also tools like domlink or amass can be used for horizontal domain correlation as mentioned by @0xpatrik in his article.

Just go to https://tools.whoisxmlapi.com/reverse-whois-search and in the search field,enter the email.

Image for post
Image for post
https://tools.whoisxmlapi.com/reverse-whois-search (domain@fb.com)

We got around 2,756 unique domains which all have “domain@fb.com” in their whois scan result.

Now just don’t get stop here, we can still get some more domains last time we used the Registrant email , now this time we will use the Registrant Name and let’s see the difference now.

Image for post
Image for post
https://tools.whoisxmlapi.com/reverse-whois-search (Facebook, Inc)

Cool this time we get more domains than before around 3,441.

Now let’s remove the duplicate ones.Save all this in one file.Then

sort filename | uniq |tee outputFileName

Image for post
Image for post

So finally we have around 4k unique domains, which have either Facebook Inc or domain@fb.com in their whois scan result.You can still get some more domains use something else this time other than registrant email or name which you found common in the already collected domains.

After I collected all the domains , I used filter-resolved tool by @tomnomnom, to resolve all the domains.

cat fb2.txt | ~/tools/filter-resolved |tee live-domains.txt

Then I used subfinder, to find all the subdomains of the domains which were in live-domains.txt file.

subfinder -dL live-domains.txt -o subdomains.txt

Repeating the same process again, use filter-resolved for resolving all the subdomains which we found using subfinder.

Moving towards the last step, I used webscreenshot for taking screenshots of the subdomains.

And while going through the screenshots I found this domain www.buckbuild.com

Image for post
Image for post

Followed this article : https://0xpatrik.com/takeover-proofs/

Then I uploaded something to verify the takeover was successful or not.And yeah!! here we go ,found my first subdomain takeover.

Image for post
Image for post

POC time:

Image for post
Image for post

Timeline:
July. 08— Initial Report
July 11— Report Triaged
July 12 — Fixed
July. 17— Bounty awarded $500

Thankyou for reading it till the end.I hope you enjoyed reading it.

Well one thing which I want to share is after the screenshot part was done, I didn’t bother to look at them as they were all looking same ,I was like there’s no point in going through them other hunters might have already looked at those domains, so I left it.Then after a 2–3days again I looked at it and you all know what happened next.

Guys believe in yourself don’t feel like you will not find anything just because others are also looking at the same thing so your chance is less of finding something there.

Sya Everyoneeeee

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store